aboutsummaryrefslogtreecommitdiff
path: root/tests/qtest/fuzz
AgeCommit message (Collapse)Author
2021-03-23memory: Add offset_in_region to flatview_cb argumentsPeter Maydell
The function flatview_for_each_range() calls a callback for each range in a FlatView. Currently the callback gets the start and length of the range and the MemoryRegion involved, but not the offset within the MemoryRegion. Add this to the callback's arguments; we're going to want it for a new use in the next commit. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 20210318174823.18066-4-peter.maydell@linaro.org
2021-03-23memory: Make flatview_cb return bool, not intPeter Maydell
The return value of the flatview_cb callback passed to the flatview_for_each_range() function is zero if the iteration through the ranges should continue, or non-zero to break out of it. Use a bool for this rather than int. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 20210318174823.18066-2-peter.maydell@linaro.org
2021-03-19fuzz: Avoid deprecated misuse of -drive if=sdMarkus Armbruster
qemu-fuzz-i386-target-generic-fuzz-sdhci-v3 uses -drive=sd where it should use -drive if=none instead. This prints a deprecation warning: $ ./build-oss-fuzz/DEST_DIR/qemu-fuzz-i386-target-generic-fuzz-sdhci-v3 -runs=1 -seed=1 [ASan warnings snipped...] --> i386: -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive: warning: bogus if=sd is deprecated, use if=none INFO: Seed: 1 [More normal output snipped...] Support for this usage will be gone soon. Adjust the test. Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20210319132008.1830950-1-armbru@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2021-03-16fuzz: configure a sparse-mem device, by defaultAlexander Bulekov
The generic-fuzzer often provides randomized DMA addresses to virtual-devices. For a 64-bit address-space, the chance of these randomized addresses coinciding with RAM regions, is fairly small. Even though the fuzzer's instrumentation eventually finds valid addresses, this can take some-time, and slows-down fuzzing progress (especially, when multiple DMA buffers are involved). To work around this, create "fake" sparse-memory that spans all of the 64-bit address-space. Adjust the DMA call-back to populate this sparse memory, correspondingly Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-03-16fuzz: add a am53c974 generic-fuzzer configAlexander Bulekov
Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-03-16fuzz: don't leave orphan llvm-symbolizers aroundAlexander Bulekov
I noticed that with a sufficiently small timeout, the fuzzer fork-server sometimes locks up. On closer inspection, the issue appeared to be caused by entering our SIGALRM handler, while libfuzzer is in it's crash handlers. Because libfuzzer relies on pipe communication with an external child process to print out stack-traces, we shouldn't exit early, and leave an orphan child. Check for children in the SIGALRM handler to avoid this issue. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Acked-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-03-16fuzz: fix the pro100 generic-fuzzer configAlexander Bulekov
The device-type names for the pro100 network cards, are i8255.. We were matching "eepro", which catches the PCI PIO/MMIO regions for those devices, however misses the actual PCI device, which we use to map the BARs, before fuzzing. Fix that Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-02-08fuzz: add virtio-9p configurations for fuzzingAlexander Bulekov
virtio-9p devices are often used to expose a virtual-filesystem to the guest. There have been some bugs reported in this device, such as CVE-2018-19364, and CVE-2021-20181. We should fuzz this device This patch adds two virtio-9p configurations: * One with the widely used -fsdev local driver. This driver leaks some state in the form of files/directories created in the shared dir. * One with the synth driver. While it is not used in the real world, this driver won't leak leak state between fuzz inputs. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-Id: <20210117230924.449676-4-alxndr@bu.edu>
2021-02-08fuzz: enable dynamic args for generic-fuzz configsAlexander Bulekov
For some device configurations, it is useful to configure some resources, and adjust QEMU arguments at runtime, prior to fuzzing. This patch adds an "argfunc" to generic the generic_fuzz_config. When specified, it is responsible for configuring the resources and returning a string containing the corresponding QEMU arguments. This can be useful for targets that rely on e.g.: * a temporary qcow2 image * a temporary directory * an unused TCP port used to bind the VNC server Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-Id: <20210117230924.449676-2-alxndr@bu.edu>
2021-02-08fuzz: log the arguments used to initialize QEMUAlexander Bulekov
This is useful for building reproducers. Instead checking the code or the QEMU_FUZZ_ARGS, the arguments are at the top of the crash log. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-Id: <20210117201014.271610-3-alxndr@bu.edu>
2021-02-08fuzz: refine the ide/ahci fuzzer configsAlexander Bulekov
Disks work differently depending on the x86 machine type (SATA vs PATA). Additionally, we should fuzz the atapi code paths, which might contain vulnerabilities such as CVE-2020-29443. This patch adds hard-disk and cdrom generic-fuzzer configs for both the pc (PATA) and q35 (SATA) machine types. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Acked-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-Id: <20210120152211.109782-1-alxndr@bu.edu>
2021-02-08fuzz: ignore address_space_map is_write flagAlexander Bulekov
We passed an is_write flag to the fuzz_dma_read_cb function to differentiate between the mapped DMA regions that need to be populated with fuzzed data, and those that don't. We simply passed through the address_space_map is_write parameter. The goal was to cut down on unnecessarily populating mapped DMA regions, when they are not read from. Unfortunately, nothing precludes code from reading from regions mapped with is_write=true. For example, see: https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg04729.html This patch removes the is_write parameter to fuzz_dma_read_cb. As a result, we will fill all mapped DMA regions with fuzzed data, ignoring the specified transfer direction. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-Id: <20210120060255.558535-1-alxndr@bu.edu>
2021-01-11fuzz: map all BARs and enable PCI devicesAlexander Bulekov
Prior to this patch, the fuzzer found inputs to map PCI device BARs and enable the device. While it is nice that the fuzzer can do this, it added significant overhead, since the fuzzer needs to map all the BARs (regenerating the memory topology), at the start of each input. With this patch, we do this once, before fuzzing, mitigating some of this overhead. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <20201221181203.1853-1-alxndr@bu.edu> Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-12-18fuzz: fix the generic-fuzz-floppy configAlexander Bulekov
On the pc-i440fx machine, the floppy drive relies on the i8257 DMA controller. Add this device to the floppy fuzzer config, and silence the warning about a missing format specifier for the null-co:// drive. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20201216203328.41112-1-alxndr@bu.edu> Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-12-18fuzz: Add more i386 configurations for fuzzingAlexander Bulekov
This adds configurations for fuzzing the following devices on oss-fuzz: * vmxnet3 CC: Dmitry Fleytman <dmitry.fleytman@gmail.com> * ne2k * pcnet * rtl8139 CC: Jason Wang <jasowang@redhat.com> * eepro100 CC: Stefan Weil <sw@weilnetz.de> * sdhci CC: Philippe Mathieu-Daudé <f4bug@amsat.org> * ehci * ohci * ac97 * cs4231a * es1370 * sb16 CC: Gerd Hoffmann <kraxel@redhat.com> * megasas CC: Hannes Reinecke <hare@suse.com> * parallel CC: Michael S. Tsirkin <mst@redhat.com> CC: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20201123184352.242907-1-alxndr@bu.edu> Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-12-11Merge remote-tracking branch 'remotes/bonzini-gitlab/tags/for-upstream' into ↵Peter Maydell
staging * Fix for NULL segments (Bin Meng) * Support for 32768 CPUs on x86 without IOMMU (David) * PDEP/PEXT fix and testcase (myself) * Remove bios_name and ram_size globals (myself) * qemu_init rationalization (myself) * Update kernel-doc (myself + upstream patches) * Propagate MemTxResult across DMA and PCI functions (Philippe) * Remove master/slave when applicable (Philippe) * WHPX support for in-kernel irqchip (Sunil) # gpg: Signature made Thu 10 Dec 2020 17:21:50 GMT # gpg: using RSA key F13338574B662389866C7682BFFBD25F78C7AE83 # gpg: issuer "pbonzini@redhat.com" # gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full] # gpg: aka "Paolo Bonzini <pbonzini@redhat.com>" [full] # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4 E2F7 7E15 100C CD36 69B1 # Subkey fingerprint: F133 3857 4B66 2389 866C 7682 BFFB D25F 78C7 AE83 * remotes/bonzini-gitlab/tags/for-upstream: (113 commits) scripts: kernel-doc: remove unnecessary change wrt Linux Revert "docs: temporarily disable the kernel-doc extension" scripts: kernel-doc: use :c:union when needed scripts: kernel-doc: split typedef complex regex scripts: kernel-doc: fix typedef parsing Revert "kernel-doc: Handle function typedefs that return pointers" Revert "kernel-doc: Handle function typedefs without asterisks" scripts: kernel-doc: try to use c:function if possible scripts: kernel-doc: fix line number handling scripts: kernel-doc: allow passing desired Sphinx C domain dialect scripts: kernel-doc: don't mangle with parameter list scripts: kernel-doc: fix typedef identification scripts: kernel-doc: reimplement -nofunction argument scripts: kernel-doc: fix troubles with line counts scripts: kernel-doc: use a less pedantic markup for funcs on Sphinx 3.x scripts: kernel-doc: make it more compatible with Sphinx 3.x Revert "kernel-doc: Use c:struct for Sphinx 3.0 and later" Revert "scripts/kerneldoc: For Sphinx 3 use c:macro for macros with arguments" scripts: kernel-doc: add support for typedef enum kernel-doc: add support for ____cacheline_aligned attribute ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-12-10vl: extract softmmu/datadir.cPaolo Bonzini
Reviewed-by: Igor Mammedov <imammedo@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-12-10Clean up includesMarkus Armbruster
Clean up includes so that osdep.h is included first and headers which it implies are not included manually. This commit was created with scripts/clean-includes, with the changes to the following files manually reverted: contrib/libvhost-user/libvhost-user-glib.h contrib/libvhost-user/libvhost-user.c contrib/libvhost-user/libvhost-user.h contrib/plugins/hotblocks.c contrib/plugins/hotpages.c contrib/plugins/howvec.c contrib/plugins/lockstep.c linux-user/mips64/cpu_loop.c linux-user/mips64/signal.c linux-user/sparc64/cpu_loop.c linux-user/sparc64/signal.c linux-user/x86_64/cpu_loop.c linux-user/x86_64/signal.c target/s390x/gen-features.c tests/fp/platform.h tests/migration/s390x/a-b-bios.c tests/plugin/bb.c tests/plugin/empty.c tests/plugin/insn.c tests/plugin/mem.c tests/test-rcu-simpleq.c tests/test-rcu-slist.c tests/test-rcu-tailq.c tests/uefi-test-tools/UefiTestToolsPkg/BiosTablesTest/BiosTablesTest.c contrib/plugins/, tests/plugin/, and tests/test-rcu-slist.c appear not to include osdep.h intentionally. The remaining reverts are the same as in commit bbfff19688d. Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20201113061216.2483385-1-armbru@redhat.com> Acked-by: Paolo Bonzini <pbonzini@redhat.com> Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com> Tested-by: Thomas Huth <thuth@redhat.com> Acked-by: Cornelia Huck <cohuck@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Acked-by: Alexander Bulekov <alxndr@bu.edu>
2020-12-09fuzz: avoid double-fetches by defaultAlexander Bulekov
The generic fuzzer can find double-fetch bugs. However: * We currently have no good way of producing qemu-system reproducers for double-fetch bugs. Even if we can get developers to run the binary-blob reproducers with the qemu-fuzz builds, we currently don't have a minimizer for these reproducers, so they are usually not easy to follow. * Often times the fuzzer will provide a reproducer containing a double-fetch for a bug that can be reproduced without double-fetching. Until we find a way to build nice double-fetch reproducers that developers are willing to look at, lets tell OSS-Fuzz to avoid double-fetches. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-Id: <20201202164214.93867-1-alxndr@bu.edu> Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-11-10fuzz: add virtio-blk fuzz targetDima Stepanov
The virtio-blk fuzz target sets up and fuzzes the available virtio-blk queues. The implementation is based on two files: - tests/qtest/fuzz/virtio_scsi_fuzz.c - tests/qtest/virtio_blk_test.c Signed-off-by: Dima Stepanov <dimastep@yandex-team.ru> Reviewed-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <e2405c459302ecaee2555405604975353bfa3837.1604920905.git.dimastep@yandex-team.ru> Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-11-10fuzz: Make fork_fuzz.ld compatible with LLVM's LLDDaniele Buono
LLVM's linker, LLD, supports the keyword "INSERT AFTER", starting with version 11. However, when multiple sections are defined in the same "INSERT AFTER", they are added in a reversed order, compared to BFD's LD. This patch makes fork_fuzz.ld generic enough to work with both linkers. Each section now has its own "INSERT AFTER" keyword, so proper ordering is defined between the sections added. Signed-off-by: Daniele Buono <dbuono@linux.vnet.ibm.com> Message-Id: <20201105221905.1350-2-dbuono@linux.vnet.ibm.com> Reviewed-by: Alexander Bulekov <alxndr@bu.edu> Tested-by: Alexander Bulekov <alxndr@bu.edu> Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-11-03fuzz: fuzz offsets within pio/mmio regionsAlexander Bulekov
The code did not add offsets to FlatRange bases, so we did not fuzz offsets within device MemoryRegions. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-Id: <20201029172901.534442-4-alxndr@bu.edu> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-11-03fuzz: check the MR in the DMA callbackAlexander Bulekov
We should be checking that the device is trying to read from RAM, before filling the region with data. Otherwise, we will try to populate nonsensical addresses in RAM for callbacks on PIO/MMIO reads. We did this originally, however the final version I sent had the line commented out.. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-Id: <20201029172901.534442-3-alxndr@bu.edu> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-11-03fuzz: fix writing DMA patternsAlexander Bulekov
This code had all sorts of issues. We used a loop similar to address_space_write_rom, but I did not remove a "break" that only made sense in the context of the switch statement in the original code. Then, after the loop, we did a separate qtest_memwrite over the entire DMA access range, defeating the purpose of the loop. Additionally, we increment the buf pointer, and then try to g_free() it. Fix these problems. Reported-by: OSS-Fuzz (Issue 26725) Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reported-by: OSS-Fuzz (Issue 26691) Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-Id: <20201029172901.534442-2-alxndr@bu.edu> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-11-03tests/qtest: Fix potential NULL pointer dereference in qos_build_main_args()AlexChen
In qos_build_main_args(), the pointer 'path' is dereferenced before checking it is valid, which may lead to NULL pointer dereference. So move the assignment to 'cmd_line' after checking 'path' is valid. Reported-by: Euler Robot <euler.robot@huawei.com> Signed-off-by: Alex Chen <alex.chen@huawei.com> Message-Id: <5FA16ED5.4000203@huawei.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-10-26fuzz: register predefined generic-fuzz configsAlexander Bulekov
We call get_generic_fuzz_configs, which fills an array with predefined {name, args, objects} triples. For each of these, we add a new FuzzTarget, that uses a small wrapper to set QEMU_FUZZ_{ARGS,OBJECTS} to the corresponding predefined values. Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20201023150746.107063-16-alxndr@bu.edu> Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-10-26fuzz: add generic-fuzz configs for oss-fuzzAlexander Bulekov
Predefine some generic-fuzz configs. For each of these, we will create a separate FuzzTarget that can be selected through argv0 and, therefore, fuzzed on oss-fuzz. Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20201023150746.107063-15-alxndr@bu.edu> Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-10-26fuzz: add an "opaque" to the FuzzTarget structAlexander Bulekov
It can be useful to register FuzzTargets that have nearly-identical initialization handlers (e.g. for using the same fuzzing code, with different configuration options). Add an opaque pointer to the FuzzTarget struct, so that FuzzTargets can hold some data, useful for storing target-specific configuration options, that can be read by the get_init_cmdline function. Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20201023150746.107063-14-alxndr@bu.edu> Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-10-26fuzz: add a crossover function to generic-fuzzerAlexander Bulekov
Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20201023150746.107063-10-alxndr@bu.edu> Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-10-26fuzz: add a DISABLE_PCI op to generic-fuzzerAlexander Bulekov
This new operation is used in the next commit, which concatenates two fuzzer-generated inputs. With this operation, we can prevent the second input from clobbering the PCI configuration performed by the first. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-Id: <20201023150746.107063-9-alxndr@bu.edu> Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-10-26fuzz: Add support for custom crossover functionsAlexander Bulekov
libfuzzer supports a "custom crossover function". Libfuzzer often tries to blend two inputs to create a new interesting input. Sometimes, we have a better idea about how to blend inputs together. This change allows fuzzers to specify a custom function for blending two inputs together. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-Id: <20201023150746.107063-8-alxndr@bu.edu> Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-10-26fuzz: Add DMA support to the generic-fuzzerAlexander Bulekov
When a virtual-device tries to access some buffer in memory over DMA, we add call-backs into the fuzzer(next commit). The fuzzer checks verifies that the DMA request maps to a physical RAM address and fills the memory with fuzzer-provided data. The patterns that we use to fill this memory are specified using add_dma_pattern and clear_dma_patterns operations. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-Id: <20201023150746.107063-5-alxndr@bu.edu> [thuth: Reformatted one comment according to the QEMU coding style] Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-10-24fuzz: Add PCI features to the generic fuzzerAlexander Bulekov
This patch compares TYPE_PCI_DEVICE objects against the user-provided matching pattern. If there is a match, we use some hacks and leverage QOS to map each possible BAR for that device. Now fuzzed inputs might be converted to pci_read/write commands which target specific. This means that we can fuzz a particular device's PCI configuration space, Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-Id: <20201023150746.107063-4-alxndr@bu.edu> Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-10-24fuzz: Add generic virtual-device fuzzerAlexander Bulekov
This is a generic fuzzer designed to fuzz a virtual device's MemoryRegions, as long as they exist within the Memory or Port IO (if it exists) AddressSpaces. The fuzzer's input is interpreted into a sequence of qtest commands (outb, readw, etc). The interpreted commands are separated by a magic seaparator, which should be easy for the fuzzer to guess. Without ASan, the separator can be specified as a "dictionary value" using the -dict argument (see libFuzzer documentation). Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20201023150746.107063-3-alxndr@bu.edu> Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-10-17fuzz: Disable QEMU's SIG{INT,HUP,TERM} handlersAlexander Bulekov
Prior to this patch, the only way I found to terminate the fuzzer was either to: 1. Explicitly specify the number of fuzzer runs with the -runs= flag 2. SIGKILL the process with "pkill -9 qemu-fuzz-*" or similar In addition to being annoying to deal with, SIGKILLing the process skips over any exit handlers(e.g. registered with atexit()). This is bad, since some fuzzers might create temporary files that should ideally be removed on exit using an exit handler. The only way to achieve a clean exit now is to specify -runs=N , but the desired "N" is tricky to identify prior to fuzzing. Why doesn't the process exit with standard SIGINT,SIGHUP,SIGTERM signals? QEMU installs its own handlers for these signals in os-posix.c:os_setup_signal_handling, which notify the main loop that an exit was requested. The fuzzer, however, does not run qemu_main_loop, which performs the main_loop_should_exit() check. This means that the fuzzer effectively ignores these signals. As we don't really care about cleanly stopping the disposable fuzzer "VM", this patch uninstalls QEMU's signal handlers. Thus, we can stop the fuzzer with SIG{INT,HUP,TERM} and the fuzzing code can optionally use atexit() to clean up temporary files/resources. Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20201014142157.46028-1-alxndr@bu.edu> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-09-30vl: relocate paths to data directoriesPaolo Bonzini
As an additional advantage, the logic is now unified between POSIX and Win32 systems. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-09-30fuzz: use qemu_get_exec_dirPaolo Bonzini
Make things consistent with how softmmu/vl.c uses os_find_datadir. Initializing the path to the executables will also be needed for get_relocatable_path to work. Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Alexander Bulekov <alxndr@bu.edu> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-09-30oslib: do not call g_strdup from qemu_get_exec_dirPaolo Bonzini
Just return the directory without requiring the caller to free it. This also removes a bogus check for NULL in os_find_datadir and module_load_one; g_strdup of a static variable cannot return NULL. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-09-16fuzz: Change the way we write qtest log to stderrAlexander Bulekov
Telling QTest to log to /dev/fd/2, essentially results in dup(2). This is fine, if other code isn't logging to stderr. Otherwise, the order of the logs is mixed due to buffering issues, since two file-descriptors are used to write to the same file. We can avoid this, since just specifying "-qtest" sets the log fd to stderr. If we want to disable qtest logs, we can just add -qtest-log none. Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20200819061110.1320568-2-alxndr@bu.edu> Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-09-08fuzz: Add support for custom fuzzing libraryAlexander Bulekov
On oss-fuzz, we must use the LIB_FUZZING_ENGINE and CFLAGS environment variables, rather than -fsanitize=fuzzer. With this change, when LIB_FUZZING_ENGINE is set, the --enable-fuzzing configure option will use that environment variable during the linking stage, rather than -fsanitize=fuzzer Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20200902173652.307222-3-alxndr@bu.edu> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-09-08meson: specify fuzz linker script as a project argAlexander Bulekov
With this change, the fuzzer-linker script should be specified outside any --start-group/--end-group pairs. We need this on oss-fuzz, where partially applying the linker-script results in a linker failure Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20200902173652.307222-2-alxndr@bu.edu> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-08-21meson: link emulators without Makefile.targetPaolo Bonzini
The binaries move to the root directory, e.g. qemu-system-i386 or qemu-arm. This requires changes to qtests, CI, etc. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-08-21meson: convert tests/qtest to mesonPaolo Bonzini
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-07-21fuzz: Fix leak when assembling datadir path stringAlexander Bulekov
We freed the string containing the final datadir path, but did not free the path to the executable's directory that we get from g_path_get_dirname(). Fix that. Reported-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20200717163523.1591-1-alxndr@bu.edu> Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-07-17fuzz: Expect the cmdline in a freeable GStringAlexander Bulekov
In the initial FuzzTarget, get_init_cmdline returned a char *. With this API, we had no guarantee about where the string came from. For example, i440fx-qtest-reboot-fuzz simply returned a pointer to a string literal, while the QOS-based targets build the arguments out in a GString an return the gchar *str pointer. Since we did not try to free the cmdline, we have a leak for any targets that do not simply return string literals. Clean up this mess by forcing fuzz-targets to return a GString, that we can free. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20200714174616.20709-1-alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-07-13tests/qtest/fuzz: Add missing spaces in descriptionThomas Huth
There should be a space between "forking" and "for". Message-Id: <20200709083719.22221-1-thuth@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Alexander Bulekov <alxndr@bu.edu> Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-07-13fuzz: add missing header for rcu_enable_atforkAlexander Bulekov
In 45222b9a90, I fixed a broken check for rcu_enable_atfork introduced in d6919e4cb6. I added a call to rcu_enable_atfork after the call to qemu_init in fuzz.c, but forgot to include the corresponding header, breaking --enable-fuzzing --enable-werror builds. Fixes: 45222b9a90 ("fuzz: fix broken qtest check at rcu_disable_atfork") Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20200708200104.21978-3-alxndr@bu.edu> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-07-06fuzz: do not use POSIX shm for coverage bitmapAlexander Bulekov
We used shm_open with mmap to share libfuzzer's coverage bitmap with child (runner) processes. The same functionality can be achieved with MAP_SHARED | MAP_ANONYMOUS, since we do not care about naming or permissioning the shared memory object. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20200622165040.15121-1-alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-07-06fuzz: fix broken qtest check at rcu_disable_atforkAlexander Bulekov
The qtest_enabled check introduced in d6919e4 always returns false, as it is called prior to configure_accelerators(). Instead of trying to skip rcu_disable_atfork in qemu_main, simply call rcu_enable_atfork in the fuzzer, after qemu_main returns. Reported-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20200618160516.2817-1-alxndr@bu.edu> Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-06-15tests/qtest: Fix LGPL information in the file headersThomas Huth
It's either "GNU *Library* General Public License version 2" or "GNU Lesser General Public License version *2.1*", but there was no "version 2.0" of the "Lesser" license. So assume that version 2.1 is meant here. Message-Id: <20200605100645.6506-1-thuth@redhat.com> Reviewed-by: Laurent Vivier <lvivier@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Thomas Huth <thuth@redhat.com>